Incorporating cloud into your IT strategy means incorporating cloud security into your IT security strategy. Security in the cloud is a shared responsibility between your team and your cloud provider. It’s important to be aware of where the cloud provider’s responsibilities end and yours begin.

Cloud Security Responsibilities Depend on the Type of Cloud

The aspects of security that you are responsible for depend on the type of cloud service you are using.

Software as a Service (SaaS)

When you use SaaS, you have no control over the physical infrastructure or the applications installed. However, your data and access to it remains your responsibility. You need to manage identities and assign users appropriate privileges, and you should have access to logs that allow you to monitor access. In addition, you still own your data. It’s a good idea to have a backup strategy that allows you to access your data in some form even if the cloud service is down.

Platform as a Service (PaaS)

PaaS exposes more of the underlying infrastructure than SaaS, but the cloud provider handles security for services including the operating system and middleware. You are responsible for user access and privileges, as you are with SaaS. In addition, you have ownership of applications. You need to ensure all configuration settings keep private applications private.

Infrastructure as a Service (IaaS)

IaaS means your security responsibilities are very similar to your responsibilities for infrastructure in your data center. The provider handles the physical infrastructure, including servers, storage and networking, but you are responsible for the operating system as well as your applications. That means you need to be aware of vulnerabilities and install any patches released to correct them.

Achieving Security in the Cloud

There are many steps you can take to ensure your data is secure in the cloud, whichever type of cloud you have. These include:

• Training employees. Training employees to compute safely is important wherever your data is stored, but especially when it’s stored in the cloud. Make sure they know safe computing practices, can recognize phishing attempts, and know where they should report a phishing attempt. (SaaS, PaaS, IaaS).
• Limit privileges. Manage your user identities and privileges in the cloud. Use role based access controls to ensure their access aligns with their job responsibilities. When possible, use federated identity systems to ensure consistency across platforms. Review privileges at least annually and routinely monitor usage to detect unusual patterns of behavior. (SaaS, PaaS, IaaS).
• Encrypt data. Ensure data is encrypted when stored in the cloud. When possible, manage your encryption keys yourself. (SaaS, PaaS, IaaS).
• Review system configurations. Many data breaches result from misconfigurations that make private data public. Review your system configurations and don’t accept vendors’ default settings. (PaaS, IaaS).
• Monitor suspicious activity. Network activity can be a key indicator of attempted intrusions. (PaaS, IaaS). 

You may need to introduce tools to add additional security to your cloud, including firewalls and cloud access security brokers. Contact Prescient Solutions to learn more about achieving effective security in your cloud.